Security Roundup - 2016-09-07

Engadget has posed the question of ‘should we be worried about election hacking?’. Rounding up a lot of election data problems of the last several weeks, including the FBI alerting that at least 2 state election databases were hacked into, as well as various groups hacking voting machines, certain groups refusing security audits, and state representatives sending people complete voter lists. Thankfully, some of the older voting machines are being phased out after support has been but, overall, eVoting seems like a risky prospect.

Mobile 2FA tokens seem to be the safest 2FA option, right? Given enough time and resources, anything is hackable as one researcher demonstrates the ability to clone a 2FA app. Current research involves root level access, a lot of bypasses, and only impacts some demo apps, so the attack is not particularly practical at this time. A full set of slides is available here.

Last.fm joins the 2012 megabreach crowd with 43 million user accounts surfacing. Last.fm knew about this breach in 2012 and already took steps to protect users but are pre-emptively taking steps again. having not expected this data to surface 4 years later. Sadly, it appears that Last.fm was using unsalted md5 hashes meaning that the majority, if not all, of the passwords are probably known.

Rapid7 has been scanning parts of the internet for a number of years now, and has decided to do a nice write up of Netbios collection, which is part of their scans.io dataset. Unsurprisingly, there are a lot of Netbios services exposed on the internet, despite recent high profile vulnerabilities like HotPotato and BadTunnel.

Google has rolled out changes to their Safe Browsing tool for webmasters adding further transparency and actionability on issues they detect.

Rapid 7 has continued research into SNMP for Networked Management Systems, finding another 11 vulnerabilities across 4 different vendors.

Security researchers have discovered how to use Tor’s hidden service directories in a correlation attack against anonymity. The TOR Project has already indicated that the attack will be mitigated with the next generation of hidden services. Meanwhile, a number of TOR alternatives are springing up, aiming to provide solutions for some of TOR’s current known problems.

BleepingComputer’s ransomware roundup gives the low down on all the ransomwre updates/variants. Also this week - a ransomware that communicates over UDP, as well as harvests system information.

Written on September 7, 2016